The New Whistleblower Protection Act – An Overview
Until recently, employees who reported the shortcomings and legal infringements of their own employers risked facing disciplinary action or even the termination of their employment. This is to change in the future and whistleblowers will be better protected in the professional environment. The laid the foundation for this change as early as the end of 2019 at EU law level. The Directive was, in fact, supposed to be implemented into national legislation by December last year. However, the German legislature failed to do so. The infringement proceedings initiated against Germany seem to have provided the German legislature with further motivation. Meanwhile, an approximately 100-page governmental draft of the German has been presented to the German parliament, the Bundestag, for deliberation. The outlook seems extremely promising under the three party "traffic light" coalition. The bill is likely to be passed in early 2023, and the Act should come into force three months later.
Private and public employers will have to prepare themselves as soon they will come under the purview of extensive whistleblower protection regulations. We will therefore now discuss the regulations that are of most practical relevance.
Who and what would be protected?
All natural persons who have obtained information about criminal violations of EU law and/or the German law in connection with or even prior to their employment and who report or disclose this information to the designated authority are protected. The actual scope of the further extends to include specific violations punishable by fines as well as reports of violations of regulations in other legal areas. Guidelines on preventing money laundering, about occupational and product safety, as well as consumer, environment and animal protection are particularly relevant. The also protects those persons who are the subject of such reporting or disclosure, or are affected by it.
What are the requirements for employers?
The aim of the binding regulations of the is to create legal certainty with regard to the situation and the provisions under which whistleblowers are protected when reporting or disclosing violations. At the same time, the processes should be easily manageable by the business and the administration. At the core of the bill is the creation of an organised reporting system. Whistleblowers should be able to communicate their suspicions in a protected environment. At the same time, employers will be obliged, among other things, to prepare appropriate instructions as well as to create proper documentation and information about the processes. Failure to fulfil these requirements will lead to penalties. The requirements to be considered in future are:
Setting up and organisation of internal reporting offices
Under the all companies with at least 50 employees, and all companies in the financial and insurance sectors and public offices, regardless of the number of employees, are obliged to set up an internal reporting office which the employees may make reports to. In future, these offices will be responsible for operating the reporting channels (which will be set up later), checking the validity of the information and taking follow-up actions (for instance, internal investigations, contacting the affected people and departments). The also stipulates the implementation of external reporting offices for specific federal and state authorities. Thus, the draft bill provides for two alternative ways of reporting -- the whistleblower is at liberty to choose either.
Appropriate and competent responsible authority
At least one appropriate and competent person (such as the head of the compliance department, the integrity officer, the head of the legal department, the data protection officer or the audit officer) should be identified as the internal reporting officer. Their competence must be ensured by the employer by means of appropriate training. A third party may also be entrusted with the tasks of the internal reporting office. Internal reporting offices may, for instance, employ an ombudsperson or even external lawyers.
Safe reporting channels
The obligates employers to ensure the safety and dependability of the internal reporting channels. Whistleblowers should be able to make a report at any time, in writing and/or verbally by telephone or any other method of voice communication. Anonymous reports can, but do not have to, be processed. In addition, it should be possible to request to arrange a meeting with the internal reporting office member responsible for receiving the information.
Confidentiality and secrecy obligations
Internal reporting offices are under a strict obligation to maintain confidentiality. The identity of the whistleblower must be protected, which means that all information that may allow inferences to be drawn regarding the whistleblower’s identity must be kept confidential. This protection also applies with regard to the people who are the subject of the reporting. Such people are not to be provided with any information, nor do they have any right of access under data protection law. However, legal exceptions to the confidentiality obligation are applicable in the case of whistleblowers who provide incorrect information wilfully or as a result of gross negligence. Furthermore, the information may be shared with law enforcement authorities upon request, or be disclosed in subsequent administrative proceedings or on the grounds of a court order where the whistleblower must be informed of the disclosure in advance.
Deadlines, obligation to provide information and documentation obligation
Employees need to be provided with information about alternative external reporting channels and the relevant reporting processes of the EU institutions, bodies, and agencies so that whistleblowers are able to exercise their right to chose the reporting channel they use. The information should be clearly understandable and easily accessible. Upon receiving a report, the internal reporting offices are obliged to inform the whistleblower that their report has been received within 7 days. After three months, the whistleblower should be provided information about the subsequent actions taken or planned and the reasons thereof, the status of the internal investigations and/or their outcomes. At the same time, the reports received and the entire process up to its conclusion should be documented in detail.
Prohibition of retaliation and reversal of the burden of proof
Provided a whistleblower proceeds in accordance with the regulations under the , it is prohibited to impose, attempt or threaten retaliation against them. This includes discrimination such as dismissal, demotion, disciplinary actions and also damage to the whistleblower's reputation. In the event of a dispute, this protection will also apply when dealing with the government authorities and courts. If such an action is taken after a report or disclosure has been made, any future discrimination would be assumed to be reacting to the whistleblowing in favour of the whistleblower. It would be for the employer to prove otherwise.
Penalties in the event of breaches
Serious penalties may be levied in the event of breaches of the provisions of the new A fine of up to 20,000 euros may be imposed in case no internal reporting office is set up, or if such office does not come up to the required standards. A fine of up to 100,000 euros may be imposed for hindering or attempting to hinder reporting. The same applies if unjustified retaliation is taken against a whistleblower or if the identity of a whistleblower is jeopardised through a breach of confidentiality. If no action is taken, even after reporting, the whistleblower may also publicly disclose the information under the protection of the .
Compensation in the event of false information
Making false reports can have far-reaching consequences and the repercussions can rarely be fully undone. If an incorrect report or disclosure is made wilfully or as a result of gross negligence, the draft bill provides for compensation claims to be filed by the affected parties.
It is clear that the German will come into force. Smaller companies with a maximum of 249 employees will be given more time (until 31 December 2023) to set up internal reporting offices. All other companies and public offices, however, will have to be ready to act imminently when the Act comes into force. Therefore, all obligated parties are advised to review their present compliance systems, guidelines and relevant regulations for compliance with the new legal requirements and to set up an internal reporting office. It is also advisable to create appropriate incentives to encourage employees to first report any relevant breaches to the internal reporting office. This will allow grievances to be examined internally and with the required due diligence. Afterwards a decision should be taken regarding any appropriate action.